Risk Management

Policy and Basic Concept

The ITOCHU Group is exposed to various risks due to its wide range of business natures, such as market, credit, and investment risks. These risks include unpredictable uncertainties and may have significant effects on the ITOCHU Group’s future financial position and business performance.
We acknowledge risk management as a key management issue. Therefore, we have established our basic risk management policy and develop necessary risk management systems and techniques based on the concept of the COSO-ERM framework.

Targets and Action Plan

Risks Opportunities
  • Occurrence of business continuity risk or unexpected loss resulting from the malfunction of corporate governance or internal control.
  • Improvement of transparency in decision-making, appropriate response to changes and establishment of a stable basis of growth enabled by the establishment of a firm governance system.
Materiality SDGs Targets Impact Classification Issues to address Business area Commitment Specific approach Performance indicators Degree of Progress
Maintain Rigorous Governance Structures
Governance Maintaining and reinforcing a governance system for achieving sustainable growth Risk management We will build a system for group risk management and maintain it to manage the risk of loss and ensure the appropriateness of our corporate group’s operations. Conduct regular reviews of risk management systems that have been established, including internal committees and risk management departments, various rules and regulations, reporting and monitoring systems, as well as the effectiveness of such systems. Maintain a firm governance system in the medium- and long-term by establishing a PDCA cycle, including development and implementation of action plans by the departments responsible for risk management, and monitoring and reviews by internal committees. We reviewed the progress of the action plans of the FYE 2024 submitted by each risk management responsible divisions. Including all issues dealt during the period, we reported to the Internal Control Committee that Itochu’s internal risk management system is active, which was held in October 2023 (review of the first half of FYE 2024), and in April 2024 (review of the second half of FYE 2024, and the action plans for FYE 2025).

Structures and Systems

Risk Management Structure

Risks associated to business operations are managed under oversight from the board of directors, within the responsibilities mandated to our division companies, Headquarters Management Committee (HMC), and relevant committees.

ITOCHU has established internal committees and responsible departments in order to address the various risks associated with the Group’s business operations, such as market risk, credit risk, country risk, and investment risk. At the same time, on a Group basis ITOCHU has developed the risk management systems and methods to manage various risks individually and on a companywide basis. Those include a range of management regulations, investment criteria, risk exposure limits, and transaction limits, as well as reporting and monitoring systems. Moreover, ITOCHU regularly reviews the effectiveness of its risk management systems and the managing officer for each risk reports on results and findings to the board of directors.

At the Group level, ITOCHU’s structural approach to risk management is overseen by the President and Chief Operating Officer (COO) and the Board of Directors and aims to ensure timely and sound executive decision making. The HMC, which is chaired by the President and COO and comprised of the Chairman and Chief Executive Officer (CEO) and other executives appointed by the President and COO, is the committee that sits at the highest level regarding our risk management system. Subsequent committees that report up to the HMC, also referred to as Principal Internal Committees, which include the Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, and Investment Consultative Committee, are responsible for identifying and addressing risks and incidents in their respective fields.

The Sustainability Committee, one of the Principal Internal Committees introduced above, is tasked to promote sustainability in the ITOCHU Group’s company-wide risk management. The Committee manages operational ESG risks such as human rights risks, health and safety risks, climate risks, and natural disaster risks, as well as ESG risks related to investments. The Committee cooperates with other Committees as necessary and makes decisions on policies and initiatives to address ESG risks and operational improvements to further mainstream sustainability concerns in our risk management culture. Activities and findings are compiled by the Committee and reported to the Board of Directors annually.

At the individual Company level, each Company’s President reports to the Division Company Management Committee (DMC), an advisory body to the Companies. The DMC deliberates on important issues such as those regarding investments, lending, assurance, and business management that have the potential to substantially impact the management of each company. If the risks identified or escalated exceed beyond the responsibilities mandated to the DMC, depending on the gravity of the risk and upon deliberation with other committees as necessary, risk issues may be escalated to the HMC and/or the Board of Directors.

ITOCHU is a company with Audit & Supervisory Board Members and endeavors to strengthen the monitoring/supervising function and ensure the transparency of decision making by having the Audit & Supervisory Board Members (including outside Audit & Supervisory Board Members) fully monitor corporate management. Auditors are therefore independent from the Committees within our risk management structure, including the HMC, but do attend Committees to perform their monitoring/supervising responsibilities. The Internal Audit Division, which serves as the organization’s internal audit system under the direct control of the President & COO, is responsible for internal audits and conducts independent audits of departments, division companies, and group companies responsible for risk management. The audit results are reported directly to the Chairman & CEO and President & COO, as well as to the Executive Officers’ meetings where Members of the Board and Audit & Supervisory Board Members are present, thereby establishing a dual reporting line. The Division also cooperates with the Audit & Supervisory Board to ensure the effectiveness of internal auditing.

Risk Management Governance Structural Chart (As of June 21, 2024)

  • Internal Audit Division reports directly to Chairman & CEO and President & COO, and to Executive Officers’ meetings where Members of the Board and Audit & Supervisory Board Members are present

Response to Significant Risks for ITOCHU

We are responding to major risks by building information management and monitoring systems at each department responsible for managing these risks on a consolidated basis.

Risk Item Responsible Department (Managing Officer) Leading Risks Risk Mitigation Measures
Compliance Risks

Legal Division (CAO)

Risks relating to compliance with various laws, ordinances and regulations

Compliance officers in each organization (including companies) manage risks and give guidance on them based on the ITOCHU Group Compliance Program.

Legal Risks (Excluding Compliance Risks)

Legal Division (CAO)

Risks from various regulatory restrictions and changes to laws, risks incurred from regulatory tightening and deregulation, risks incurred due to different administration and interpretation of legal systems, and risk of losses (compensation liability etc.) occurring due to disputes (lawsuits and complaints)

Mitigate the risk of losses expanding by checking contracts and other paperwork in advance in relation to conflicts (lawsuits and complaints). Raise awareness about risks from changes to laws and ordinances by holding various courses. Respond to those risks by accepting inquiries on a case-by-case basis.

Risks Associated with Trade Security Policy Management

Legal Division (CAO)

Risks relating to compliance with the Foreign Exchange and Foreign Trade Act (security-related) and risks relating to international security such as the legal regulations and sanctions of other countries

Export Control & Sanctions Department performs centralized management. Perform appropriate management and give guidance in cooperation with the Export Control Program Officers in each company or department.

Risks Associated with Customs

Legal Division (CAO)

Risks relating to compliance with the three customs acts (Customs Act, Customs Tariff Act and Act on Temporary Measures Concerning Customs)

Conduct in-house monitoring, provide training, accept inquiries on a daily basis, ensure employees and officers are aware of laws and ordinances, and hold periodic report briefings on customs in line with import customs clearance management and customs management manuals, and export customs clearance management manuals.

Country Risks

Global Risk Management Division (CFO)

Risk of losses occurring due to the actions of nations themselves or the environment in which those nations have been placed

The Global Risk Management Division periodically aggregates the country risk exposure and discloses it as the outstanding balance of investments, loans and guarantees by major country.

Commodity Price Risks (Specific, Important Product)

Global Risk Management Division (CFO)

Risk of losses occurring due to product market price fluctuations

Set monetary amount limits, quantity limits and period loss limits. Periodically review compliance with those limits.

Credit Risks

Global Risk Management Division (CFO)

Risk of losses occurring due to default on debts in contracts with associated companies

Set credit amounts for each associated company and transaction type. In principle, review the credit amounts annually.

Investment Risks

Global Risk Management Division (CFO)

Risks relating to new investment execution and existing business monitoring and exit decision-making

Make decisions on new investments based on investment standards. Periodically monitor existing investments. Promote asset replacement by applying the EXIT selection standards on investments not worth holding.

Stock Price Risks

Global Risk Management Division (CFO)

Risk of losses occurring due to stock price fluctuations

Periodically grasp and monitor the amount of impact on consolidated shareholder’s equity due to stock price fluctuations.

Foreign Exchange Rate Risks

Finance Division (CFO)

Risk of losses occurring due to foreign exchange rate fluctuations

Mitigate risks through hedge transactions using futures exchange contracts and other derivatives.

Interest Rate Risks

Finance Division (CFO)

Risk of losses occurring due to interest rate fluctuations

Mitigate interest rate fluctuation risks by grasping the interest rate mismatch amount.

Financing Risks

Finance Division (CFO)

Risk that it will no longer be possible to raise financing smoothly due to turmoil in the financial markets

Ensure sufficient liquidity by using cash and deposits and commitment lines. At the same time, mitigate risks by diversifying financing sources and methods.

Information System and Security Risks

IT & Digital Strategy Division (CXO)

  • Risks relating to non-operation of information systems caused by natural disasters and man-made disasters (terror etc.), computer equipment and network equipment failures, and program, operation and procedure mistakes
  • Risks relating to information leaks, falsification and destruction due to unauthorized access to information systems from inside and outside the company
  • Monitor the application and compliance of information security guidelines and cybersecurity frameworks.
  • ITOCHU Cyber & Intelligence Inc. strengthens defense systems and raises awareness through training.
Labor Management Risks

Human Resources & General Affairs Division (CAO)

Risks which may occur in labor management (long working hours, unpaid overtime, etc.)

Company and Headquarters human resources and general affairs staff summarize on-site inquiries and reports and then communicate them to the Human Resources and General Affair Division. Appropriately respond in consultation with legal advisors as necessary.

Human Resources Risks

Human Resources & General Affairs Division (CAO)

Risks arising from shortfalls and outflow and securing management and operational human resources

Secure diverse human resources. Continuously develop abilities including by cooperation between ITOCHU and group companies. Place the right people in the right place by developing a rewarding working environment.

Risks Associated with the Appropriateness of Financial Reporting

General Accounting Control Division (CFO)

Risks relating to securing reliability in financial reporting by preparing and disclosing appropriate financial reports

Appoint a person in charge of collecting information on the new establishment, revision and abolition of accounting standards. Disseminate that information by issuing notifications, and posting on the Intranet and sending emails.

Risks Associated with Internal Control

General Accounting Control Division (CFO)

Risk of incidents and fraud occurring due to employees and officers not performing operations in line with the rules and manuals relating to accounting

Monitor internal control operations.

Environmental and Social Risks

Sustainability Management Division (CAO)

Risks relating to compliance of environmental and social related laws and ordinances and promotion of key issues in sustainability

Plan a system to grasp environmental and social risks in our company and value chains when starting and continuing trades and business investment operations, and to monitor the status of the response to those risks. Monitor in cooperation with other departments as appropriate.

Emerging Risks

The ITOCHU Group’s business environment is changing, and uncertainties are increasing. Through PEST analysis, we fully assess risks and opportunities in the context of macroenvironmental factors—such as economic recession risks, geopolitical risks, and environmental and social risks—and build an even stronger competitive edge by implementing flexible measures and transforming businesses in response to changes in the times and the business environment.
Please refer to the PEST analysis in our Integrated ReportPDF file.

Initiatives

Risk Management Method

We conduct the following management throughout the year to build a PDCA cycle. We periodically move through the risk management cycle. Through these efforts, we are mitigating and preventing increasingly complex and diversifying risks.

  1. Plan: The departments responsible for managing the major risks formulate action plans to prevent and mitigate those risks every year. They then comprehensively identify potential risks. After that, the Internal Control Committee discusses the risks which should be tackled and management policies. The CSO then approves those policies.
  2. Do: Take measures based on the management policies.
  3. Check: Compile the status of measures and the following term’s action plans every six months. Report the status and action plans to the Internal Control Committee.
  4. Action: Take improvement measures and additional measures.

Risk Capital Management*1 and Management of Concentration Risk

Risk Assets and Risk Buffer*2

  1. The cost of shareholders’ equity set at 8%
  2. Risk Buffer = Total shareholders’ equity + Non-controlling interests
Strict Management of Risk Assets

Our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the amount of risk assets within the limits of our risk buffer (Total shareholders’ equity + Non-controlling interests). As we promote investments that will lead to evolve existing business moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.

Business Investment Management

Fundamental Approach

Along with strategic business alliances, business investment is an important means of creating new businesses. To actively promote strategic investments in areas of strength in a timely manner, we choose the optimal structure from a wide range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As or converting to a consolidated subsidiary.
In principle, we hold investments continuously. After making each investment, we work to maximize the investee’s corporate value and to expand trading profit and dividends received by fully utilizing our Groupwide capabilities. Given such considerations as larger-scale investments in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.

Decision-Making Process for New Investments

A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.
Regarding investment risks, the risk appetite is determined by considering factors such as market growth and stability, the impact on our company’s performance, and the feasibility of risk management.

Business Investment Process

Starting with the impact of COVID-19, the business environment changed dramatically.
Against this background, we steadily implemented strategic investment at the right time and divested businesses which are less efficient or past the peak.
At the same time, we strictly implemented various processes, including the verification of the validity of business plans at the time of investment decisions, and meticulously monitored those decisions after investing. This allowed us to maintain a high ratio of profit-making group companies at 92.0% in FYE 2024.

Number of Consolidated Subsidiaries and
Share of Group Companies Reporting Profits

Security Risk Management

Policy and Basic Concept

The ITOCHU Group has established a code of conduct for all members of the Board and employees regarding the handling of information, and views maintaining a high level of security as a key factor in addressing information security risks. Additionally, we have established an Information Security Policy. All officers and employees strive to properly handle, manage, protect, and maintain information in accordance with the policy.

Structures and Systems

The Chief Transformation Officer (CXO) holds overall responsibility for digitalization strategy and information security measures in the ITOCHU Group and chairs the IT Strategy Committee. The IT Strategy Committee deliberates policies, regulations and information security strategy, monitors the management situation, and reports to the Board of Directors as appropriate, ensuring a high level of information security.

Name Chairman Objectives
IT Strategy Committee

Chief Transformation Officer (CXO)

  • Deliberates regarding IT and digital strategy (Annual IT Strategic Plan, etc.)
  • Reviews policies and measures for information security
Initiatives

ITOCHU has formulated a company-wide information strategy for digital transformation (DX) and data-driven management and is aiming for IT-based management. In order to ensure a high level of information security that supports these management foundations, we continue to take thorough measures for crisis management, including the establishment of security guidelines, the expansion of security infrastructure, and the strengthening of technical security measures against malware, etc.

We routinely collect the latest information regarding potential cyber threats by analyzing system logs and malware. Additionally, when incidents do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. This is done by the ITOCHU Computer Emergency Readiness, Response & Recovery Team (ITCCERT) –a cybersecurity team whose members are senior cybersecurity analysts. As a framework for cybersecurity governance in the ITOCHU Group companies, “ITOCHU Group Cybersecurity Framework”, which is constituted of regulations, systems and processes, was rolled out in 2022. In addition, ITOCHU Cyber & Intelligence Inc. was established in February 2023 to provide the Cybersecurity Countermeasure Programs to Group companies, thereby ensuring sustainable and practical operations for the framework. We also provide training programs to develop technicians proficient in cybersecurity, including at Group companies. There are only a few cases in Japan where companies are working as actively as we are to develop systems and respond to information security risks. Moving forward, we plan to maintain these initiatives and make enhancements where necessary to ensure sustainable growth that is free from cyber threats.

We periodically engage in the training programs listed below to maintain and improve our information security program.

  • We provide trainings to all employees on how to identify and respond to targeted e-mail attacks twice a year.
  • All global employees including those in group companies are subject to a mandatory, simultaneous e-learning course on information security, which is held every three years.
  • Several times a year, the ITCCERT leads an internal cybersecurity workshop for ITOCHU Group companies.
  • Policies regarding information security and the management of personal information are required to be communicated to employees upon hiring. If amendments or updates are made to these policies, all executives and employees receive a notification of the changes made. Employees are also updated on such amendments in their periodic e-learning trainings.
  • We conduct a drill on Business Continuity Plans once a year. In addition, exercises to evaluate and test security measures are conducted by a third-party at least once a year.

Business Continuity Plan

Please refer to Business Continuity Plan in Internal Control System for details.